Webhooks will not validate (PHP)

New Member
1 0 0



I'm trying to validate the Webhooks that we are receiving to our PHP (Laravel) application. In Shopify the credentials I'm using are set up through a private internal app. I'm using the shared key depicted here in our admin. (I've also tried all of the keys for fun). I'm registering our Webhooks subscriptions via the API, so I don't think I need the Webhooks key that is shown when you set up the subscriptions up in the admin.


[75647dec9628aac4c336e47e53e4be65]_Image 2019-05-01 at 3.17.47 PM.png



$secret = utf8_encode(config('shopify.api_shared_secret')); // key from screenshot
$body = utf8_encode(file_get_contents('php://input')); // have also tried pulling the response from the request itself
$calculatedDigest = base64_encode(
$receivedDigest = $event->hmac; // X-Shopify-Hmac-Sha256 header as is

hash_equals($receivedDigest, $calculatedDigest) // never true

I've tried with and without the utf8_encode calls. After browsing this forum I thought that might help.


I can't tell what I'm missing bud the hash_equals call always fails. Does anyone see something I'm missing?